On Tue, Sep 25, 2001 at 11:11:53AM +0200, Martin F Krafft wrote:
> please explain how a symlink /etc/bind -> /var/chroot/bind/etc
> would be a security problem?
That would suck. Config files belong in /etc only.
Hamish
--
Hamish Moffatt VK3SB <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
On Sep 26, Peter Palfrader <[EMAIL PROTECTED]> wrote:
>AFAIK mount -o ro --bind /etc/ foo/etc does not mount readonly. So
It will in future 2.4 releases.
>there would be write access to the root partition in the chroot.
It does not matter anyway, because the files are owned by root and BIND 9
w
also sprach Christian Kurz (on Tue, 25 Sep 2001 10:11:07AM +0200):
> But having a link from either the config-files in /etc/bind to $CHROOT
> or in the other direction, could be in my opinion a security risk. In my
> opinion there should be absolutely no link from $CHROOT to any file
> outside the
also sprach Junichi Uekawa (on Wed, 26 Sep 2001 09:23:32PM +0900):
> By the way, are we talking about running bind as non-root
> inside a chroot, or
> are we talking about running bind as root inside a chroot?
is that a serious question? just *why* would you ever run bind9 as
root?
martin;
also sprach Tollef Fog Heen (on Wed, 26 Sep 2001 10:25:15AM +0200):
> The right way is, imho, the way postfix deals with it. It took quite
> some time before I discovered it chrooted itself.
i disagree stronlgy mainly because of things like tripwire, which i
think should be scanning *everything*
Peter Palfrader <[EMAIL PROTECTED]> writes:
> AFAIK mount -o ro --bind /etc/ foo/etc does not mount readonly. So
> there would be write access to the root partition in the chroot.
If they are not writable by the user of the chroot process, that isn't
a problem. If the attacker gets root, the use
On Wed, 26 Sep 2001, Marco d'Itri wrote:
> On Sep 26, Peter Palfrader <[EMAIL PROTECTED]> wrote:
> >Are there any problems I missed with cimply copying the files?
> Yes: people do not want to restart bind at every configuration changes.
good point.
> >Mount -bind is no option, hardlinks aren't
On Sep 26, Peter Palfrader <[EMAIL PROTECTED]> wrote:
>Are there any problems I missed with cimply copying the files?
Yes: people do not want to restart bind at every configuration changes.
>Mount -bind is no option, hardlinks aren't either. Symlinks from
mount --bind is the right solution for
On 01-09-26 Roberto Suarez Soto wrote:
> On Sep/26/2001, Christian Kurz wrote:
> > > I think that maybe he refers to the fact that, for example, you may
> > > have formatted your ext2 partitions so they are incompatible with 2.0.x
> > Well, I once heared about this, but never read an explanation
On 01-09-26 Riku Voipio wrote:
> On Tue, Sep 25, 2001 at 04:34:31PM +0200, Christian Kurz wrote:
> > On 01-09-25 Steve Greenland wrote:
> > > I am so tired of hearing things like this. Nobody is forcing anyone to
> > > do anything. We already "force" them to use 2.2 instead of still using
> > > 2.0
On 25-Sep-01, 09:34 (CDT), Christian Kurz <[EMAIL PROTECTED]> wrote:
> On 01-09-25 Steve Greenland wrote:
> > I am so tired of hearing things like this. Nobody is forcing anyone to
> > do anything. We already "force" them to use 2.2 instead of still using
> > 2.0. You want the functionality, you u
Riku Voipio <[EMAIL PROTECTED]> immo vero scripsit
> who the hell has to do more work, if we add *support* for
> *automaticly* running bind9 in chroot jail if the kernel
> supports --bind mounts?
By the way, are we talking about running bind as non-root
inside a chroot, or
are we talking about
On Wed, 26 Sep 2001, Roberto Suarez Soto wrote:
> On Sep/26/2001, Christian Kurz wrote:
>
> > > I think that maybe he refers to the fact that, for example, you may
> > > have formatted your ext2 partitions so they are incompatible with 2.0.x
> > Well, I once heared about this, but never read an
On Tue, Sep 25, 2001 at 04:34:31PM +0200, Christian Kurz wrote:
> On 01-09-25 Steve Greenland wrote:
> > I am so tired of hearing things like this. Nobody is forcing anyone to
> > do anything. We already "force" them to use 2.2 instead of still using
> > 2.0. You want the functionality, you use the
On Sep/26/2001, Christian Kurz wrote:
> > I think that maybe he refers to the fact that, for example, you may
> > have formatted your ext2 partitions so they are incompatible with 2.0.x
> Well, I once heared about this, but never read an explanation what
> exactly causes the differences in the
On Wed, 26 Sep 2001, Christian Kurz wrote:
> > > and would instead suggestion to modify the documents stating that all
> > > config files should be in /etc to make a exception for $CHROOT.
>
> >
> > NEVER. This is not some low-grade distribution where you can go around
> > scattering configurati
On 01-09-25 Henrique de Moraes Holschuh wrote:
> On Tue, 25 Sep 2001, Christian Kurz wrote:
> > On 01-09-24 Henrique de Moraes Holschuh wrote:
> > > On Mon, 24 Sep 2001, Christian Kurz wrote:
> > > > Hm, that doesn't make much sense too me. I think the best thing would be
> > > > to have /etc/bind
On 01-09-25 Roberto Suarez Soto wrote:
> On Sep/25/2001, Christian Kurz wrote:
> > Were exactly do we force them? Which debian packages do not work well
> > with a 2.0.x kernel?
> I think that maybe he refers to the fact that, for example, you may
> have formatted your ext2 partitions so
* Steve Greenland
| I am so tired of hearing things like this. Nobody is forcing anyone to
| do anything. We already "force" them to use 2.2 instead of still using
| 2.0. You want the functionality, you use the right tools. You want to
| stick with 2.2, then *you* deal with the issues. The mainta
* Christian Kurz
| On 01-09-25 Steve Greenland wrote:
|
| > I am so tired of hearing things like this. Nobody is forcing anyone to
| > do anything. We already "force" them to use 2.2 instead of still using
| > 2.0. You want the functionality, you use the right tools. You want to
|
| Were exactly
On Wed, 26 Sep 2001, Sam Couter wrote:
> On Tue, 25 Sep 2001, Christian Kurz wrote:
> > But having a link from either the config-files in /etc/bind to $CHROOT
> > or in the other direction, could be in my opinion a security risk.
>
> Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> > Oh, h
Sam Couter <[EMAIL PROTECTED]> writes:
> Because the files accessed from within the chroot once it's broken are the
> SAME FILES as on the real system.
We're not discussing running two binds on a system, one in a chroot
and one not. (Although I think I understand your concern now.)
We're discus
On Tue, 25 Sep 2001, Christian Kurz wrote:
> But having a link from either the config-files in /etc/bind to $CHROOT
> or in the other direction, could be in my opinion a security risk.
Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> Oh, how so?
Because the files accessed from within the
On Sep/25/2001, Christian Kurz wrote:
> Were exactly do we force them? Which debian packages do not work well
> with a 2.0.x kernel?
I think that maybe he refers to the fact that, for example, you may
have formatted your ext2 partitions so they are incompatible with 2.0.x
kernels. Or to t
On 01-09-25 Martin F Krafft wrote:
> also sprach Christian Kurz (on Mon, 24 Sep 2001 10:59:13PM +0200):
> > Hm, that doesn't make much sense too me. I think the best thing would be
> > to have /etc/bind inside $CHROOT and having no symlink.
> except if you want to enable the usual /etc/bind/ edit
On 01-09-25 Steve Greenland wrote:
> On 25-Sep-01, 03:12 (CDT), Christian Kurz <[EMAIL PROTECTED]> wrote:
> >
> > As I wrote in two emails before, this isn't a solution, since this
> > forces an administrator to use kernel 2.4.x instead of maybe still using
> > 2.2.x.
>
> I am so tired of hearin
On 25-Sep-01, 03:12 (CDT), Christian Kurz <[EMAIL PROTECTED]> wrote:
>
> As I wrote in two emails before, this isn't a solution, since this
> forces an administrator to use kernel 2.4.x instead of maybe still using
> 2.2.x.
I am so tired of hearing things like this. Nobody is forcing anyone to
d
On Tue, 25 Sep 2001, Christian Kurz wrote:
> On 01-09-24 Henrique de Moraes Holschuh wrote:
> > On Mon, 24 Sep 2001, Christian Kurz wrote:
> > > Hm, that doesn't make much sense too me. I think the best thing would be
> > > to have /etc/bind inside $CHROOT and having no symlink.
>
> > And scratc
On 01-09-25 Wichert Akkerman wrote:
> Previously Henrique de Moraes Holschuh wrote:
> > And scratch the second-most important feature of Debian (the first one being
> > the DFSG)? Do Not Move Config Files Out Of /etc. Ever. If you need it
> > elsewhere, at least leave a symbolic link in place.
>
On 01-09-24 Henrique de Moraes Holschuh wrote:
> On Mon, 24 Sep 2001, Christian Kurz wrote:
> > Hm, that doesn't make much sense too me. I think the best thing would be
> > to have /etc/bind inside $CHROOT and having no symlink.
> And scratch the second-most important feature of Debian (the firs
also sprach Wichert Akkerman (on Tue, 25 Sep 2001 03:57:49AM +0200):
> > And scratch the second-most important feature of Debian (the first one being
> > the DFSG)? Do Not Move Config Files Out Of /etc. Ever. If you need it
> > elsewhere, at least leave a symbolic link in place.
>
> bind mounts.
also sprach Christian Kurz (on Mon, 24 Sep 2001 10:59:13PM +0200):
> Hm, that doesn't make much sense too me. I think the best thing would be
> to have /etc/bind inside $CHROOT and having no symlink.
except if you want to enable the usual /etc/bind/ editing of
conf-files, which would make adminis
Previously Henrique de Moraes Holschuh wrote:
> And scratch the second-most important feature of Debian (the first one being
> the DFSG)? Do Not Move Config Files Out Of /etc. Ever. If you need it
> elsewhere, at least leave a symbolic link in place.
bind mounts.
Wichert.
--
On Mon, 24 Sep 2001, Christian Kurz wrote:
> Hm, that doesn't make much sense too me. I think the best thing would be
> to have /etc/bind inside $CHROOT and having no symlink.
And scratch the second-most important feature of Debian (the first one being
the DFSG)? Do Not Move Config Files Out Of
On 01-09-24 Martin F Krafft wrote:
> also sprach Christian Kurz (on Mon, 24 Sep 2001 10:31:54AM +0200):
> > So you want to force everyone who is interested in running this chroot
> > to use a kernel 2.4.x at least? That's in my opinion a not acceptable
> > solution, since the decision which kernel
On 01-09-24 Marco d'Itri wrote:
> On Sep 24, Christian Kurz <[EMAIL PROTECTED]> wrote:
>
> >So you want to force everyone who is interested in running this chroot
> >to use a kernel 2.4.x at least? That's in my opinion a not acceptable
> Yes, since managing a chroot environment without bind moun
On Sep 24, Christian Kurz <[EMAIL PROTECTED]> wrote:
>So you want to force everyone who is interested in running this chroot
>to use a kernel 2.4.x at least? That's in my opinion a not acceptable
Yes, since managing a chroot environment without bind mounts is way
harder and IMO cannot easily/cor
also sprach Christian Kurz (on Mon, 24 Sep 2001 10:31:54AM +0200):
> So you want to force everyone who is interested in running this chroot
> to use a kernel 2.4.x at least? That's in my opinion a not acceptable
> solution, since the decision which kernel is used, should never be
> depending on a c
On 01-09-23 Martin F Krafft wrote:
> complicated for i did not know about the mount --bind option. sure,
> this only works with 2.4.x, but if any chroot changes to bind9 are
> going public, then this will be bundled with a 2.4.x kernel-image,
> right? will testing be 2.4.x?
So you want to force ev
also sprach Marco d'Itri (on Sun, 23 Sep 2001 11:47:33AM +0200):
> There are no packaging changes needed.
> To chroot bind you just have to fix $OPTS in /etc/init.d/bind9 and
> create the two mount binds I described earlier.
marco is right, following his advice, i just chrooted my bind in the
most
On Sep 22, Bdale Garbee <[EMAIL PROTECTED]> wrote:
>Having said that, since I don't personally run bind9 in a chroot, I continue
>to be willing to accept a clueful patch to the current bind9 source in non-US
>to implement this... but am in no big rush to implement it myself.
There are no packa
also sprach Bryan Andersen (on Sat, 22 Sep 2001 05:42:23PM -0500):
> For even better security, just make the standard install chrooted
> if it is of wise security reasons to. I've long questioned why
> this hasn't been done for many daemons already. I know some people
> may feel that because it
On Sat, Sep 22, 2001 at 05:39:20PM +0200, Bernhard R. Link wrote:
> * Richard Atterer <[EMAIL PROTECTED]> [010922 16:26]:
> > One idea: In a configuration file, the user lists those daemons he
> > wants to run chrooted. init.d scripts that support it read this
> > information and act on it, copying
Martin F Krafft wrote:
>
> also sprach Richard Atterer (on Sat, 22 Sep 2001 10:03:55PM +0200):
> > What alternative possibilities for implementing this do you see? The
> > package will have to contain the necessary chrooting script somewhere,
> > and the admin will have to perform some action to t
also sprach Richard Atterer (on Sat, 22 Sep 2001 10:03:55PM +0200):
> What alternative possibilities for implementing this do you see? The
> package will have to contain the necessary chrooting script somewhere,
> and the admin will have to perform some action to trigger its
> execution. After he h
also sprach Bdale Garbee (on Sat, 22 Sep 2001 12:06:37PM -0600):
> Eee. Diversions are so, well, messy. I think the obvious right
> way to handle this is to add debconf support to the bind9 package
> asking whether to run in a chroot or not, and if the answer is yes,
> just do it. As has bee
On Sat, Sep 22, 2001 at 05:39:20PM +0200, Bernhard R. Link wrote:
> Help, please no. More supports for chroots may be nice. But not this
> way! init.d-scripts calling scripts, that parse global config files
> is ugly and one of the many points to make people switch from Suse
> or Redhat to debian.
[EMAIL PROTECTED] (Martin F Krafft) writes:
> i don't think a global solution is a good choice here. if i install
> bind9-chroot (hypothetically speaking), then bind9 should not possibly
> ever run non-chrooted again. this should be done via diversions.
Eee. Diversions are so, well, messy.
also sprach Richard Atterer (on Sat, 22 Sep 2001 03:28:21PM +0200):
> One idea: In a configuration file, the user lists those daemons he
> wants to run chrooted. init.d scripts that support it read this
> information and act on it, copying the required files to a chroot
> before starting the daemon
* Richard Atterer <[EMAIL PROTECTED]> [010922 16:26]:
> One idea: In a configuration file, the user lists those daemons he
> wants to run chrooted. init.d scripts that support it read this
> information and act on it, copying the required files to a chroot
> before starting the daemon there.
>
> (
WRT chrooting certain applications - wouldn't it make sense to mandate
one consistent way for the user to do this if the package supports it?
That way, chrooting daemons is much more user-friendly, which in turn
will (hopefully) lead to more people doing it.
One idea: In a configuration file, the
On Sep 21, Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
>inside the jail... (unless bind9 does not need to have any libs and config
>files such as resolv.conf inside its jail, in which case there is no need
>for such a script).
It does not.
The only things needed are /var/run/, /var/
On Fri, 21 Sep 2001, Martin F Krafft wrote:
> how about this: i'll make the package (which will basically be a
> postinst/prerm pair and nothing else, and then we can always integrate
IMHO it would be better if you did it the way it is done in the postfix
package. The initscript sets up the chroot
also sprach Bdale Garbee (on Thu, 20 Sep 2001 06:00:59PM -0600):
> > bind9-chroot -- convert a bind9 installation to a chroot'd one
>
> What does this package do? I have offered numerous times to accept a patch
> for the bind9 package to optionally implement chroot installation and nobody
> ha
On Thu, Sep 20, 2001 at 05:40:32PM +0200, Martin F Krafft wrote:
> i am not yet an official maintainer, but i do already have an advocate
> and sponsor (Colin - what's the status?)
Back from "vacation" and I'll help you now. Tell me if there are any
changes from the last iprelay stuff you sent me
Em Thu, 20 Sep 2001 17:40:32 +0200
Martin F Krafft <[EMAIL PROTECTED]> escreveu:
> however, in the mean time i am happily packaging along and submitting
> ITP's to bugs.debian.org the proper way. However, not once has one of
> these ITPs reached the debian-devel list. they have been confirmed,
> b
On Sep 20, Martin F Krafft wrote:
> i am not yet an official maintainer, but i do already have an advocate
> and sponsor (Colin - what's the status?)
>
> however, in the mean time i am happily packaging along and submitting
> ITP's to bugs.debian.org the proper way. However, not once has one of
>
On Thu, Sep 20, 2001 at 05:40:32PM +0200, Martin F Krafft wrote:
> however, in the mean time i am happily packaging along and submitting
> ITP's to bugs.debian.org the proper way. However, not once has one of
> these ITPs reached the debian-devel list. they have been confirmed,
> but they haven't b
You can either Cc: debian devel, or add a X-Debbugs-Cc: header (works
like Cc, but includes the bug# in the subject too).
IIRC, it is documented somewhere in the doc-debian package.
Cheers,
--
Gergely Nagy \ mhp/|8]
pgpWqyKFvBmI9.pgp
Description: PGP signature
hi guys,
i am not yet an official maintainer, but i do already have an advocate
and sponsor (Colin - what's the status?)
however, in the mean time i am happily packaging along and submitting
ITP's to bugs.debian.org the proper way. However, not once has one of
these ITPs reached the debian-devel l
60 matches
Mail list logo
